Adobe Experience Manager Sites & More

danielkg · 7/16/21

Hi,

What would be the right approach to enable secure cookies in AEM Cloud? I've been trying by adding org.apache.felix.http.cfg.json with the values below, but that doesn't seem to work.

{
    "org.apache.felix.https.jetty.session.cookie.secure": "true",
    "org.apache.felix.proxy.load.balancer.connection.enable": "true"
}

The cookie I'm looking at specifically is the affinity cookie.

Thanks!

Asutosh_Jena_ · 7/16/21

Hi @danielkg

You can set header at the dispatcher v-host as well to set the cookie as secure.

Header edit Set-Cookie ^(.*)$ $1;Secure;SameSite=Strict

Thanks!

View solution in original post

Asutosh_Jena_ · 7/16/21

Hi @danielkg

You can set header at the dispatcher v-host as well to set the cookie as secure.

Header edit Set-Cookie ^(.*)$ $1;Secure;SameSite=Strict

Thanks!

danielkg · 7/20/21

Thanks for the help, I tried this approach and the Set Cookie header is not being overridden by that rule in my case. Is there a specific location in the vhost file where this should be placed? I'm adding it under <VirtualHost *:80><Directory />, and have also tried under <IfModule mod_headers.c> but it doesn't seem to work.

Adam100 · 8/5/22

The official Adobe communication is as follows:

The affinity cookie is set by envoy to allocate the client a pointer into the ringhash that ensures their requests go back to the same pod where they pod exists. The cookie is a session cookie and must not have Max Age or Expires set which would make the cookie Persistent (see [1]) It is HttpOnly already. We only serve traffic over https so it is secure by default. The value of the cookie has not intrinsic value and does not give the client any insight into which hardware they are targeting as the RingHash[2] algorithm does not allow a client to manipulate the cookie to target specific pods. The algorithm only allows the client, on presentation of the value, to target the same pod. Possession of the cookie value has the same value as getting hold of a random number that has no meaning.

1 https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_the_lifetime_of_a_cookie

2 https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balance...

Possibly the customers do not have any control on the setup here..

berkayf70599426 · 9/29/23

I have the same requirement from Customer. The affinity cookie has no "Secure" attribute.

I set "org.apache.felix.http" config as blow.

"org.apache.felix.https.jetty.session.cookie.secure": true

Also try to edit cookies on the dispatcher but that didn't work either.

Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;

Is there anything else I could do the update "Secure" attribute affinity cookie ?

BhavaniBharani · 3/24/24

Hello @berkayf70599426,

Can you please let me know how you added the secure flag for the affinity cookie. I need to add the secure flag and the same site attributes for the affinity cookie for my website.

Thanks in advance.

Regards,

Bhavani Bharanidharan

pradeepdubey82 · 5/17/24

Hello Bhavani,

Is there any luck setting affinity cookie as secure? I am also facing similar issue in AEMAaCS.

Thanks,

Pradeep

Adobe Experience Manager Sites & More

Enable secure cookies in AEM Cloud

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe